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Abstract The coordination modelling language Paradigm addresses collaboration between compo- 
nents in terms of dynamic constraints. Within a Paradigm model, component dynamics are con- 
sistently specified at a detailed and a global level of abstraction. To enable automated verification 
of Paradigm models, a translation of Paradigm into process algebra has been defined in previous 
work. In this paper we investigate, guided by a client-server example, reduction of Paradigm mod- 
els based on a notion of global inertness. Representation of Paradigm models as process algebraic 
specifications helps to establish a property-preserving equivalence relation between the original and 
the reduced Paradigm model. Experiments indicate that in this way larger Paradigm models can be 
analyzed. 
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1 Introduction 

Within the current software architecture practice, architectures are mostly used for describing static as- 
pects of software systems. Techniques that allow system architects to describe coordination among 
components within an architecture and to reason about the dynamics of the system in its entirety, are not 
commonly used. The coordination description language Paradigm helps the designer to merge different 
dynamic aspects of a system. At the same time the language allows for the description of both detailed 
and global behaviour of an individual component i.e. its own specific behaviour and separately its inter- 
action with other components, and the language is particularly helpful in enforcing consistency in the 
behaviour of large sets of interrelated components. 

The coordination modeling language Paradigm (9j [lOl specifies roles and interactions within col- 
laborations between components. Interactions are in terms of temporary constraints on the dynamics 
of components. To underpin Paradigm models with formal verification and automated analysis, the 
Paradigm language has been linked with the mCRL2 toolset ifTTTl via its translation to the process algebra 
ACP [6 , 3 ] and with the probabilistic modelchecker Prism |[T5l l4l via a direct encoding scheme. Process 
algebras (PA for short), such as CCS, CSP, LOTOS and ACP, provide a powerful framework for formal 
modeling and reasoning about concurrent systems, which turns out to be very suitable for our needs in the 
setting of coordination. The key concepts of compositionality and synchronization in process algebra are 
mostly exploited in our translation. As detailed and global aspects of component behaviour are specified 
by separate PA specifications, the vertical constraints are encoded through synchronizations expressing 
consistency of detailed and global component behaviour. Horizontal constraints at the protocol level are 
naturally captured by parallel composition, synchronization and encapsulation. 
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While the translation to ACP and mCRL2 allows for formal verification of Paradigm models (3j|2l|4l, 
the omnipresent problem of state space explosion when analyzing large models occurs here as well. In 
the present paper, we address the question of reducing Paradigm models of coordination. The reduction 
method applies to a component's behaviour, reducing the representation of the vertical constraints of 
that component by abstracting away any information on the component behaviour irrelevant for these 
constraints. To this end, the benefit of the translation of Paradigm language into ACP is twofold. On 
the one hand, we borrow the abstraction concept from PA and apply it directly in Paradigm on detailed 
behaviour. On the other hand, the translation provides us with a formal proof methodology to reason and 
guarantee that the reduced Paradigm model has the same properties as the original model. As a matter of 
fact, it has gradually become evident that separating detailed from global behaviour as supported by the 
Paradigm language, allows us to reason about reduction by abstraction in a rather natural way. We shall 
clarify this point after the Paradigm overview, at the end of Section |2] 

Our work on dynamic consistency in a horizontal and vertical dimension has been influenced by the 
work of Kiister JTJfHl. Related work includes the Wright language HI based on CSP provides FDR 
support to check both types of consistency properties. Other bridges from software architecture to auto- 
mated verification include the pipeline from UML via Rebeca and Promela to the SPIN model-checker 
and from UML via Object-Z and CSP to the FDR model-checker |[T9l[T6l . Process algebra driven proto- 
typing as coordination from CCS is proposed in lfl"8l . The skeletons generated from CCS-specifications 
overlap with Paradigm collaborations. In the TITAN framework ifTTl . CCS is playing a unifying role in 
a heterogeneous environment for aspect-oriented software engineering. Recently the coordination lan- 
guage Reo has been equipped with a process algebraic interpretation (21 [21. The encoding of Reo into 
mCRL2 and subsequent analysis has been integrated in the ECT toolset for Reo |[T3l . 

We present our idea by means of an example. The system we consider consists of n clients who 
try to get service from one server exclusively, a critical section problem, where the server is supposed 
to choose the next client in a non-deterministic manner. While the translation of the Paradigm model 
into PA for the example is done manually, the toolset mCRL2 is exploited to generate the complete state 
spaces, on which further analysis can be done. Initial results show a substantial reduction in the size 
of the state space. In Section |2] Paradigm is summarized on the basis of the above example. Section [3] 
briefly introduces our process algebra translation for the example model. In Section [4] we present our 
reduction techniques. Section [5]concludes the paper. 

2 Paradigm and a critical section model 

This section briefly describes the central notions of Paradigm: STD, phase, (connecting) trap, role and 
consistency rule. 

• An STD Z (state-transition diagram) is a triple Z = (ST,AC,TR) with ST the set of states, AC the 
set of actions and TR C ST x AC x ST the set of transitions of Z, notation x—tx*. 

• A phase S of an STDZ = (ST,AC,TR) is an STD S = (st,ac,tr) such that st C ST, ac C AC and 

trC { {x,a,x') £ TR | x,x' £ st,a G ac }. 

• A trap t of phase S = (st,ac,tr) of STD Z is a non-empty set of states ( C st such that x G t 
and x — > x' G tr imply x' G t. A trap t of phase S of STD Z connects phase S to a phase 5' = 
(st',ac',tr') of Z if t C st'. Such trap-based connectivity between two phases of Z is called a 
phase transfer and is denoted as S A S'. 
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• A partition % = { (5,-,7}) | i G 1} of an STD Z = (ST,AC,TR), I a non-empty index set, is a set of 
pairs (Si, 7}) consisting of a phase 5,- = (st;, ac;, tr,) of Z and of a set 7} of traps of S{. 

• A role at the level of a partition % = { (S t , 7}) | j G 1} of an STD Z = (ST,AC,TR) is an STD 
Z(%) = (ST,AC,TR) with ST C {5; | iEl}, AC C U/e/^ and TR C {Sj-^Sj \ i,j€l,t G AC } a set 
of phase transfers. Z is called the detailed STD underlying global STD Z(%), being role Z(%). 

• A consistency rule or protocol step for an ensemble of STDsZ,Zi, . . . ,Zj and roles Zj (fti), . . . ,Z^(%^) 
is a nonempty set of phase transfers preceded by one extra transition. 

• Let Z: x Ax' *Zi (tti) : 5j —tS", . . . ,Zk(ftk) : S' k A 5^' be a consistency rule for a given ensemble; 
Z,, . . . ,Zt are participants of it, Z is conductor. 

• A Paradigm model is an ensemble of STDs, roles thereof and consistency rules. 

The above notions constitute Paradigm models. The semantics thereof are roughly as follows: a consis- 
tency rule has synchronization of its phase transfers and its conductor transition, only if all connecting 
traps mentioned have been entered. Detailed transitions are allowed in the current state of an STD, 
only if the current phase (state) of each role of the STD contains the transition. In this way, phases are 
constraints on underlying STD dynamics imposed by protocols (sets of protocol steps). In a mirrored 
way, traps impose constraints on the behaviour at the protocol level, as traps are involved in the firing of 
consistency rules. 
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Figure 1: (a) detailed STD of Client, (b) partition of three phases, (c) global STD Client(CS). 



An STD is a step-wise description of the dynamics belonging to a component. It is visualized as a 
directed graph: its nodes are states, its action-labeled edges are transitions. Initial states are graphically 
indicated by a black dot-and-arrow. FigureQJ gives the so-called detailed STD of a Client in and around 
a shop: starting in state Out the client cycles through states Waiting, Busy, AtDoor and Out again, 
subsequently. The entire system we consider, contains n such clients, dynamically the same, plus one 
different component, the server. For the complete system the overall requirement is that only one client 
at a time, out of all n clients, is allowed to be in its state Busy. So, being in state Busy is a Critical 
Section problem (abbreviated CS). To solve it, ongoing Client, dynamics is constrained by the phase 
prescribed currently. Figure \Vp visualizes phases Without, Interrupt and With. Phase Without excludes 
being in state Busy by prohibiting to take the actions explain and thank. Contrarily, phase With allows 
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both, going to and leaving state Busy. Finally, the intermediate phase Interrupt is an interrupted form of 
Without, as action enter cannot be taken, but being in state Waiting is allowed, though. 

In view of a transfer from the current phase into a next phase to occur, enough progress within the 
current phase must have been made: a connecting trap has to be entered first. Figure[Tb pictures relevant 
connecting traps for the above three phases, drawn as rectangles around the states the trap consists of. In 
particular, we need trap triv to be connecting from Without to Interrupt, trap not Yet to be connecting 
from Interrupt back to Without, trap request to be connecting from Interrupt forward to With and finally, 
trap done to be connecting from With back to Without. In this manner, Figure Q}) gives all ingredients 
needed for the dynamics of a Client, STD at the level of partition CS: see role Client,(CS) in FigureQ}; 
and repeated in Figure^. 
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Figure 2: (a) global process Client(CS) and (b) its refinement in view of translation. 



Figure [2j) presents a slightly refined diagram of the proper role STD in part (a). State names here, 
additionally keep track of the trap most recently entered within a phase, as if it could be taken as a smaller 
phase committed to within the larger one imposed. Action names still refer to a trap that is entered, but 
they additionally discriminate between, first, registering the trap has been entered and, second, thereafter 
using this for a phase transfer. This more refined view represents the starting point for the ACP encoding 
of the global process, as discussed in the next section. 

So far, we have discussed 'sequential composition' of constraints: imposed phases alternated with 
traps committed to. Semantically, any current phase constrains the enabled transitions to those belonging 
to the phase. So, at any moment a current detailed state belongs to the current phase too. From this 
it follows, that the dynamics of the detailed STD and of the global STD are consistent, the current 
global phase reflects the current local state. Paradigm's consistency rules are to the essence of 'parallel 
composition': they express coupling of role steps of arbitrarily many participants and a detailed step of 
one conductor. Any consistency rule specifies the simultaneous execution of the steps mentioned in the 
rule, a transition of the conductor and phase transfers for the participants. 

To continue the example of n clients getting service, one at a time, we present a non-deterministic 
coordination solution for the n clients via a server. The non-deterministic server checks the clients in 
arbitrary order. If a client, when checked, wants help, it gets help by being permitted to enter the critical 
section. If not, permission to enter is refused to it. Only after a client's leaving the critical section, the 
server stops helping it by returning to the idle position, from which it arbitrarily selects a next client for 
checking. In the example, the server provides a unique conductor step for each consistency rule. The 
STD Server of the server is drawn in Figure [3] As conductor, detailed steps of Server need to be coupled 
to phase transfers of each Client,, 1 < i < n. 
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Figure 3: STD non-deterministic server Server. 



Server : Idle cilecic '> NDChecking, * Client,(CS) : Without —> Interrupt (1) 

Server : NDChecking,- Idle * Client,(CS) : Interrupt "° tYet > Without (2) 

Server : NDChecking; permit > NDHelping, * Client,(CS) : Interrupt request > With (3) 

Server : NDHelping; contmue > Idle * Client,(CS) : With -^£> Without (4) 

Note that for this protocol, each conductor step of the server corresponds to a phase change of exactly 
one client. E.g., the server moves from the state Idle to NDChecking, iff the global client process Client,(CS) 
changes from the phase Without to the phase Interrupt. The server then makes a check, transition. In 
general, there is a precondition, however. Within the phase Without sufficient progress should have been 
made, such that the particular trap has been reached. In this case, it is the trivial trap triv rendering 
the requirement superfluous, as the trivial trap, containing all states of the phase Without, is trivially 
reached. For the actual checking, the next two consistency rules, dependent on the trap not Yet and request, 
respectively, decide the target of the conductor transition and the next participant phase, viz. state Idle 
and phase Without or state NDHelping, and phase With, respectively. The last consistency rule couples the 
conductor's returning from state NDHelping, to Idle with trap done of phase With having been entered. 

The consistency rules specify horizontal dynamic consistency, i.e. across components, here between 
server and clients. Such specification is about coordination, i.e. what Paradigm actually models, step- 
wise computation of next behavioural constraints. The constraining property imposed by a phase implies, 
an underlying Client, transition is allowed only if it belongs to the phase that corresponds to the current 
state of the role of Client, in the CS collaboration, i.e. the current state of the global STD Client,(CS). The 
constraining property Client, commits to by entering a trap, allows for a phase transfer, i.e. a transition 
of Client,(CS), once the (connecting) trap is entered. These two constraining properties syntactically 
guarantee vertical dynamic consistency, i.e. within a component between its underlying STD and its role. 

As mentioned in Section [TJ is has become evident to us that separating detailed from global be- 
haviour as supported by the Paradigm language, allows one to reason about reduction by abstraction in 
a rather natural way. The intuitive explanation for this is as follows: Global behaviour, actually defin- 
ing phases a system needs to go through during a particular coordination solution, is built on top of the 
detailed behaviour: each global phase represents a sub-behaviour of the underlying detailed behaviour. 
Nevertheless, not every action at the detailed level affects the current global phase. Only some actions 
may enable a next phase transfer and hence may affect the protocol execution. Thus, it is natural to try 
to detect the detailed actions that do not matter for, i.e. that cannot be observed at, the protocol level. 
By hiding them, a reduced detailed behaviour is obtained, just containing all relevant information and 
actions needed for proper execution of the component role within the protocol. As we shall show for 
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our running example, this information can be extracted from the hierarchical structure per component in 
the Paradigm model, see Subsection 14. II Note that all interaction between components (horizontal) and 
all hierarchical structure within components (vertical), as specified in the Paradigm model in an explicit 
manner, are flattened in the PA translation and hence their character being either horizontal or vertical, 
gets lost. Thus, after the PA translation only a single communication pattern remains, from which it is 
no longer straightforward to extract information needed for proper reduction of detailed behaviour. 

Yet another aspect of the Paradigm model that can be justified and confirmed by the approach taken 
here is discussed shortly in the paper, see Subsection 14.21 From the definition of Paradigm, although 
provided with a formal operational semantics, it is not straightforward to see to what extent a compo- 
nent's detailed behaviour is not affected by some constraints or coordination rule. In particular, consis- 
tency rules for some complex model may have an unforeseen effect on detailed component behaviour, 
in particular a deadlock at the detailed level. The translation from Paradigm to ACP combined with the 
abstraction techniques discussed in the next section supports formal verification of separate protocols 
and of overall coordination. 

3 Paradigm model as a process algebraic specification 

In this section we show by means of the example introduced in Section |2j how a Paradigm model can be 
translated into ACP. The general translation has been defined in Q to which we refer for more detail. 
Roughly, each STD will be represented by a recursive specification. Vertical consistency in Paradigm has 
to be expressed explicitly. In particular, to represent the interaction of a detailed STD and the global STD, 
we use actions ok!(.) and ok?(.) that take the labels of detailed steps as their argument. The complementary 
actions synchronize if the step of the detailed STD is allowed by the current phase of the global STD 
as constraint. Thus, synchronization of actions ok!( ) and ok?( ) between global STD and detailed STD 
reflect the current permission for the detailed step to be taken. 

In addition, we use the complementary actions at!(.) and at?(.) that take detailed states as their argu- 
ments. The complementary actions synchronize if the step to be taken by the global STD is allowed by 
the current trap of the detailed STD as constraint. Upon synchronization of at!( ) and at?( ) the global 
process will update its trap information, if applicable. For the communication within the protocol, here 
between the server and its clients, actions cruie!(.) on the side of a conductor are meant to complement 
cruie?(.) actions on the side of the employees. Synchronization leads to execution of the corresponding 
consistency rule: a detailed transition of the conductor, phase changes for the employees involved. 

For the concrete example the above amounts to the following. We adorn the n processes Client,- with 
the actions at!, conveying state information, and actions ok?, regarding transition eligibility. 



The LTS of Client,- of Client, is given in Figure @H (with the subscript i suppressed). The definition of 
process Client,- assures, the process really starts in close correspondence to starting state Out from Fig- 
ureQJ. The definition of process Out, expresses: (1) upon being asked, it can exchange state information 
while keeping the process as-is; (2) it can ask for permission to take the analogue of transition enter from 
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Figure [Tk, in view of continuing with process Waiting, thereafter. Note, in the definition of process Busy, 
the possibility for exchange of state information is not specified, as asking for it does never occur. Note, 
in Figure [TJ), state Busy does not belong to trap done. 
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Figure 4: Processes (a) Client and (b) Client(CS). 



In a similar manner, the n processes Client,(CS) are augmented with the actions at? and ok!. Now, 
at the global level, the relevant information is the pair of the current phase and the current trap. For 
example, the recursion variable Without,- [triv] represents that Client, is constrained to phase Without and 
hasn't reached a specific trap, whereas Interrupt, [not Yet] reflects that Client, committed to phase Interrupt 
resides in trap notYet. As these global processes play a participant role in the protocol, the cruie? actions 
for engaging in a consistency rule have been put in place as well. 



Client,(CS) = Without/ [triv] 
Without,- [triv] = ok! (leave,-) ■ Without; [triv] + ok!(enter,-) ■ Without; [triv] + 

crule?(triv,) ■ Interrupt,- [triv] 
lnterrupt,[triv] = at?(AtDoor,) ■ Interrupt,- [notYet] + at?(0ut,) ■ Interrupt,- [notYet] + 
at?(Waiting,) • lnterrupt,[request] + ok!(leave,) • lnterrupt,[triv] 
Interrupt,- [notYet] = ok!(leave,) ■ Interrupt, [notYet] + crule?(notYet,-) • Without,- [triv] 
lnterrupt,[request] = crule?(request,-) ■ With,[triv] 

With,[triv] = at?(AtDoor,) ■ With,-[done] + ok!(explain,) • With,[triv] + 
ok!(thank,)-With,-[triv] 
With, [done] = crule?(done,) • Without,- [triv] 

The corresponding LTS of the specification Client,(CS) of Client,(CS) is given in Figure |4j). 

As above, process Client,(CS) is defined in close correspondence to Without; [triv] being starting state 
in Figure [2J). The ok! (.factions provide the permission answers to requests from Client,- to take a de- 
tailed step. The at?(. factions ask for state information relevant for deciding a next, smaller trap has 
been entered. The cruie?(. factions correspond to a phase change, so they synchronize with a particular 
conductor step. 

The final component of the Paradigm model that needs to be translated into ACP is the non-determinis- 
tic server Server. In fact, the STD of the server as given in Figure [3] exactly corresponds to its recursive 
specification; we only rename each transition label i from Figure [3] into cruie!(£) to stay consistent with 
the general translation as defined in 0, for instance permit, is renamed into cruie!(permit,) in the PA 
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specification. There is neither any ok(.) action nor any at(.) action added here. This component plays the 
conductor role in the protocol and as such it is represented only by its detailed behaviour (detailed STD). 
Therefore, no vertical constraints are imposed on its detailed behaviour. 

Idle 

crule!(checki) • NDCheckingi H h crule! (check,,) • NDChecking,, 

crule! (perm it,) ■ ND Helping,- + crule! (refuse,) - Idle 
crule!(continue,) ■ Idle 

For the communication function '|' we put at!(s) | at?(.?) = t for 'states' s = Out,-, Waiting,-, AtDoor,-, and 
ok?(a) | ok!(a) = ok(a), for actions a = enter,-, explain,,thank,-, leave,. Note, ACP allows to keep the result of 
the synchronization of ok?(«) and ok!(a) observable, here as the action ok(a), for suitable a. We exploit this 
feature below to express system properties, since the synchronization actions ok(«) describe detailed steps 
taken by clients. E.g., observing ok(enter,) indicates a service request made by Client,. On the contrary, 
synchronization of at!() and at?() is only used to update the information of the current detailed state. The 
resulting actions are internal to the component and not needed in any further analysis. Therefore, we 
safely use t for the synchronization of at?() and at!(). 

Finally, we need to encode the coordination captured by the consistency rules. For example, consis- 
tency rule (Q]) couples a detailed check, step of the Server, being the conductor of the CS protocol, to the 
global triv step of Client,, being a participant in the CS protocol. The net result is a state transfer, i.e. a tran- 
sition Idle checki y NDChecking,- for the server, and a phase transfer, i.e. a transition Without Interrupt in the 
global STD for the i-th client. Similar correspondences apply to the other consistency rules. Therefore, 
we put 

crule!(check,) | crule?(triv,) = check,- crule!(refuse,) | crule?(notYet,) = refuse,- 

crule!(permit,) | crule?(request,) = permit,- crule!(continue,) | crule?(done,) = continue,- 

As usual, unmatched synchronization actions will be blocked to enforce communication. We collect 
those in the set A = { crule!, crule?, at?, at !, ok?, ok! }. Finally, the process for the collaboration of the server 
and the n clients is given by 

^(CNentj || Client! (CS) || . .. || Client,, || CNent,,(CS) || Server) (5) 

The next section is concerned with the intertwining of detailed and the global behavior, and possible ways 
to reduce the component specification by abstracting away from specific detailed activities. The process 
algebraic specification of our running client-server example will be used below to establish relations be- 
tween Paradigm models before and after reduction. Therefore, it comes in handy to represent the overall 
behaviour of the Client component as the parallel composition of its detailed and global behaviour. To 
this end, we denote the set of states of the detailed process Client by States^ = { Out, Waiting, Busy, AtDoor}, 
the set of labels of its transitions by of detailed Labels^ = {enter, explain, thank, leave} and we put 

AT = {at!(.v),at?(.v) | s e States^ } OK = { ok! (a), ok?(a) |aeLabels D } 

and define H = AT u OK. Then the process combining detailed behaviour of Client and global behaviour of 
Client(CS) can be expressed as Client(DG), with DG referring to 'detailed' and 'global', given by 

CNent(DG) = ^(Client || CNent(CS)) 



Server = 

Idle = 

NDChecking, = 

NDHelping, = 
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Figure 5: Process Client(DG) 



Figure [5] shows the behavior of Client(DG) graphically. The process describes the way the detailed and 
global behaviors occur and constrain each other. 

On the one hand, steps taken at the detailed level influence the current phase at the global level, 
and therefore allows and forbids certain phase transitions at the global level. The global process and its 
transitions, are 'navigated' by the activities executed at the detailed level. For instance, the effect of the 
detailed transition ok(enter) is described with the appearance of two triv transitions. One of them captures 
the scenario in which the client has not yet required any service, which means that enter has not been 
taken yet at the detailed level, although the server (conductor) may offer service. It can be observed that 
this transition is followed by the phase transition not Yet which brings the process back to the initial state. 
We can also observe that as soon as the detailed transition enter is taken, the enabled triv transition differs 
from the previous one. 

On the other hand, from Client (DG) we can observe how each phase, i.e. a global state, constrains the 
steps that can be taken locally. Moreover, it is specified exactly how a trap that is reached blocks any 
detailed transitions, just as expected. For instance, we see that the action ok(leave) on top of Figure [5] 
cannot be executed before the phase is changed, i.e. a step from With[done] to Without[triv] via the global 
transition cruie?(done). Note that such details, which are explicit and easily observable from the ACP 
specification of the composition Client(DG), cannot be directly detected in the Paradigm model. 

Once systems are modeled algebraically, their behaviours can be compared. Comparison is typically 
done by means of equivalence relations, chosen appropriately to preserve certain properties. Since we 
aim at the mCRL2 toolset for tool support, we choose for branching bisimulation JSJ as the equivalence 
relation we apply. Indeed, branching bisimulation is the strongest in the spectrum of behavioural equiva- 
lence relations, but yet weak enough to identify sufficiently many systems. Below we adapt the definition 
from (8] (originally defined on labelled transition systems) to STDs with uniquely indicated initial states. 
In fact, labelled transition systems (LTS), as a (visual) representation of process algebraic specifications, 
can be seen also as STDs. Therefore, in the sequel we do not make explicit distinction between LTSs 
and STDs. 

Definition 1. For two STDs Z = (ST, ACTS), Z' = (ST', AC',TS') a symmetric relation fiCSTx ST' is called a branching 
bisimulation relation if for all s 6 ST and t 6 ST' such that R(s,t), the following condition is met: if s — S- s' in Z, for some 
a £ AC U {t}, then either a=X and R(s',t), or for some n > 0, there exist t\,...,t n and t' in ST' such that t—*tt\ A(„-4(' 
inZ', R(s,ti),...,R(s,t„) andR(s',t'). 
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For two STDs z and Z', two states seZ and t e Z' are called branching bisimilar, notation s ±± \, t, if there 
exists a branching bisimulation relation R for Z and Z' such that R(s,t). The STDs z and z' are branching 
bisimilar, notation Z f± b Z' if their initial states are branching bisimilar. 

4 Reduction of the client processes 

In Section [3] we explained how ACP specifications are obtained from the detailed and global client 
STDs, and how ACP's communication function captures synchronization of detailed and global steps, 
guaranteeing consistent dynamics at both levels. Based on the complete client component we are able 
to make several observations regarding the Paradigm approach to separate the detailed from the global 
behaviour. 

4.1 First-reduce then-compose 

The global STD of a component is an abstract representation of its detailed STD. It represents the part 
of the behaviour of the component that is essential for the interaction within a given collaboration. In 
general, for the global behaviour not all local transitions are relevant, most are not influencing the overall 
coordination at all. Although not always easy to isolate, in actual full-fledged systems only a restricted 
part of the whole system provides a specific functionality. In such a situation, from a modeling perspec- 
tive it is clarifying to abstract away the irrelevant part and to concentrate on a reduced detailed behaviour 
containing the relevant interaction. As a consequence, dealing with models that are purposely made 
concise becomes simpler, more feasible and less error-prone. 

In the previous sections, we have made a Paradigm model out of the components: detailed client 
STDs, their global STDs and the server STD. Moreover, we have presented their translations into process 
algebraic specifications. The overall behaviour of the client-server system is obtained by putting the 
components involved in parallel and make them interact. In this section we show that we can achieve the 
same total behaviour of the client-server system by first reducing the client components and then composing 
the reduced versions afterwards with other components of the system. Reduction is directly applied on 
the original Paradigm client model, by abstracting away irrelevant states and local transitions. 

It is intuitively clear that the global behaviour alone is not branching bisimilar to the overall client 
behaviour Client(DG). This is because some local steps change the further global behaviour. As a con- 
sequence, such local transitions can be detected at the global level. Extending terminology going back 
to JH, we call these transitions globally non-inert. Similarly, a local transition is referred to as globally inert 
if it cannot be observed, explicitly or implicitly, at the global level. More specifically, it can be detected 
whether local action enter has been taken or not by observing whether the global transition notYet or 
global transition request follows after global step triv. Putting it differently, the transition labeled enter 
makes the difference for phase Interrupt of residing in trap notYet or in trap request, as can be seen in Fig- 
ured] Thus, the local transition enter is not globally inert. In a similar manner, the local action thank is not 
globally inert as it enables -and so it can be detected- the execution of the global action done. In terms 
of the partition, in phase With the action thank enters the trap done. On the other hand, again referring 
to the phases of Client(CS) in Figured}), we see that the action leave is in each phase either within a trap 
(phases Without and Interrupt) or not possible at all (phase With is missing the target state Out). Likewise, 
the action explain is not possible (phases Without and Interrupt are missing state Busy) or doesn't change 
the trap information (in phase With the transition doesn't enter the trap done). 

Definition 2. Let a Paradigm model be given. A detailed transition x Ax' of a participant of a protocol is called globally inert 
with respect to its partition 71 = { (S/, 7}) | i £ /} if for all traps t in 7] it holds that x£( r 6( whenever both x,x' £ S,, 
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i £ /. An action a is called globally inert for a participant of a protocol with respect to a partition, if all a-labeled transitions 
are. 

Using the notion of detailed transitions being globally inert or non-inert, we can reduce the detailed 
STD of the client. After renaming all globally inert transitions into t, we can identify branching bisimilar 
states. The resulting quotient STD for the client carries the behaviour that is necessary and sufficient for 
the global STD to interact with the other components, including the conductor of the collaboration. The 
composition of the process algebraic specifications of the quotient STD and the global Client(CS) behaves 
exactly (up to branching bisimulation) as the behaviour of the composition of the original detailed and 
global STDs together as represented by Client(DG). By congruence, composition of either of these systems 
with the other clients and the server leads, modulo branching bisimulation equivalence, to the same 
behaviour. This is summarized by the next result, where t/, for a set of labels /, represents the hiding of 
the actions in / from P by renaming them into t, and dj(P), for a set of labels J, is the encapsulation of the 
actions of J from P by blocking and transition for P with label in J. 

Lemma 3. Let G C Labels^ be a subset of globally inert actions. Then it holds for the induced quotient QCIient of Client that 

(i) QCIient ±± ^ tQ(Client), and 

(ii) d H {QOle^t\\c7ient(CS)) o b T 0K(G) ( C//ent(DG) ), where OK(G) = {ok(a) \aeG}. 



(a) 



Out 



AtDoor 



WaitingJ 
r Q 

Busy j : 



(b) 



at!(P) 



at!(Q) 



> ok?(enter) / — — 

P L Q 

-r ' ok?(thank) 1 



(C) 



Figure 6: (a) process TG(Client) and related states, (b) quotient STD QCIient and (c) QCIient. 



Proof. We consider the case of the maximal set of local actions that are globally inert, i.e. for G = { explain, leave }. Split the 
set of states States^ of the detailed STD into P = { Out, AtDoor } and Q = { Waiting, Busy }. Let QCIient be the induced 
quotient STD, the STD obtained from Client by identifying the states Out and AtDoor as well as the states Waiting and Busy. 
The processes QCIient and T(j(Client) are shown in Figure[6^b. A branching bisimulation between QCIient and Tc(Client) 
can be immediately established, which proves the first part of the lemma. 

In order to prove the second part of the lemma, we first translate QCIient into the process algebraic specification QCIient 

whose STD is shown in FigureHJ. In order to compute the composition of QCIient and Client(CS) the communication function 

has to be adapted to QCIient. For the QCIient process Out and AtDoor are identified into the P. Similar for Waiting, Busy, now 

represented by Q. Thus, a detailed QCIient communication intention conveying 'at P' or 'at Q' updates the global process about 
the current local state. Hence, we extend the communication function with at!(P) | at?(Out) = T, at!(P) | at?(AtDoor) = 

T, at!(<2) | at?(Waiting) = % and at!(g) | at?(Busy) = T. Now we consider the process d#(QCIient || Client(CS)) with 
H = ATuOK as defined in Section [3] with AT extended accordingly. The composition is shown in Figure |7^, the process 

T OK(G)(C' ent (DG) ) is depicted in Figure It is straightforward to establish a branching bisimulation between these two 
processes. □ 

State names of T 0K ( G )(CNent(DG) ) have been suppressed in Figure|7t> for readability. Note that the number 
of states in T C (Client(DG)) is 13, while the first-reduce then-compose approach with QCIient and Client(CS) 
generates a process with 9 states only. See table [Qbelow for more numerical results. 
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Figure 7: Branching bisimilar processes: (a) d#( QCIient || Client(CS)) (b) process ToK(G)(Client(DG)). 




Figure 8: (a) adapted quotient process QCIient, (b) composition of new QCIient and Client(CS). 



It is obvious that not every choice of actions at the detailed level has the property of Lemma[3] For exam- 
ple, selecting the set of actions G' = {enter, thank}, yields a split-up into {Out, Waiting} and { Busy, AtDoor} 
and another reduction, depicted in Figure [8^- However, this reduction is not a proper one as the induced 
composition of the reduced detailed and the global behaviour in Figure[8]is not branching bisimilar with 
the original composition -r 0K(c /)(Client(DG)). 

It is instructive to consider a slightly different client. Now we assume that the client may decide to 
draw back the service request and return back to the initial state Out. The detailed STD and the global 
STD shown in Figure [9] differ from the model in Figure Q] only in the return transition. If we apply the 
same reasoning of Lemma [3] to this model of a client, we observe that the return transition does not 
change the situation regarding the reduction of the local behaviour. Again, the enter transition is not 
globally inert, for the same reasons as in the previous model. Similarly, return is also not globally inert. 
Still, the original quotient from Lemma [3] based on the inert actions explain and leave yields a proper 
reduction. See Figure [TOl 

The last example we consider as a further variation, named Client", is presented in Figure [TT] The only 
change is now in the global STD Client"(CS). The client is provided service unconditionally, i.e. without 
interruption, even without needing it. But, if it doesn't need it the client is handled as if it does not 
need service any longer. The simplified global behaviour, with less phases and less traps, imposes less 
constraints on the detailed behaviour. Thus, the relation between the detailed and the global behaviour 
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Figure 9: Modified client: (a) STD of Client', (b) phase and trap constraints. 
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Figure 10: Branching bisimilar processes: (a) ^//(QCIient' || Client'(CS)), (b) ToK(G)(Client'(DG)). 



is rather loose. In Figure[[2]the behaviour of process Client"(CS) and the parallel composition Client"(DG) 
are graphically represented. In order to show this formally, we again apply the first-reduce then-compose 
approach along the lines of Lemma [3] by taking the trivial split-up of States^ along all detailed actions 
in Labels D . Thus, we identify all local actions in G" = Labels/j as globally inert. The resulting quotient 
STD of QCIient" and its process algebraic translation are shown in Figure [P3bc. The composition of the 
reduced detailed behaviour of Client" with its global behaviour has now 3 states as shown in Figure [T3li. 
A branching bisimulation between this process and the corresponding process T C //(Client"(DG)) can be 
established easily. 

In order to investigate the effect of the reduction on a larger scale, we have analyzed the client-server 
system using the mCRL2 toolset ifTTTl and compared the implementation of the system using either the orig- 
inal Client components or their reduced versions QCIient. The translation of ACP-based specifications of 
the n clients Client,, the global Client,(CS) and the server Server into the input language of the mCRL2 toolset, 
which we use for our model analysis, is largely straightforward (see also f3]). Indeed, the application of 
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Figure 11: The Paradigm model of Client". 
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Figure 12: Processes Client"(CS) and Client"(DG). 



the first-reduce then-compose principle yields a significant decrease in the size of the state space in a number 
of cases. The results are collected in Table Q] 

4.2 Extracting detailed behaviour 

Intuitively it is clear that in the case of the client-server example the global behaviour does not change 
or influence the local behaviour. In fact, if in the total client behaviour Client(DG) we hide the actions 
cruie?( ) from the set E performed by the global process (E for external), we obtain a process which is 
branching bisimilar to the detailed behaviour Client. This is expressed by the following lemma. 

Lemma 4. Client f±/, % ( Client(DG) ). 

Proof. We start from the process Client(DG) as shown in Figure[5] After hiding the actions in E, i.e. renaming them into T, 
the process Client(DG) ) is obtained, shown in Figure[l4] A branching bisimulation equivalence between this process and 
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Figure 13: (a) T G « (Client"), (b) Client", (c) QCIient", (d) composition of QCIient" and Client"(CS). 
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n 


with Client 


with QCIient 




states 


transitions 


states 


transitions 


2 


69 


142 


32 


54 


3 


297 


819 


92 


204 


4 


1161 


3996 


240 


656 


5 


4293 


17685 


592 


1920 


6 


15309 


73386 


1408 


5280 


10 






36863 


212480 



(no result for Client with n=10 within 24 hours) 
Table 1: Effect of the first-reduce then-compose approach. 



Client process can be defined without difficulty. In Figure[l5]related states are connected by differently dotted lines. Note, we 
have mirrored the Client orientation with respect to the North-East South- West diagonal. □ 
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Figure 14: Process T £ (Client(DG)). 



In the general situation, the statement of the lemma provides a check on the constraints imposed by the 
global STD on the detailed one. In case the statement of the lemma holds, the complete behaviour of 
the component is preserved in the consistent composition, assuming the coordinating protocol provides 
all phase transfers in some order. In case the statement of the lemma does not hold, part of the original 
detailed behaviour has been eliminated because of the participation with the protocol. This may be 
deliberate and allows for further reduction of the detailed STD. This may be accidental, requiring the 
overall coordination to be revised. 



5 Concluding remarks 



In a Paradigm model several STDs may belong to the same component, describing the component's 
dynamics either at various levels of abstraction (detailed vs. global STDs) or describing different roles 
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Figure 15: Branching bisimulation between (a) Tg(Client(DG)) and (b) Client. 



of the component in various collaborations. Collaboration between components is described in terms of 
dynamic constraints. Vertical consistency is maintained by keeping phases vs. detailed transitions and 
traps vs. transfers aligned. Starting point of our investigation here is the translation of Paradigm models 
into the process algebra ACP and its coupling with the mCRL2 toolset for subsequent automated analysis. 
In the translated model, every STD from the Paradigm model is represented by a recursive specification; 
the total behaviour of a single component is obtained as a composition of the recursive specifications of 
the detailed and the global component's STDs; the overall system is specified as a parallel composition 
of all components. 

In this paper we have described a method to reduce the Paradigm representation of the detailed STDs 
of the components, yielding reduction of the overall Paradigm models, but preserving the overall be- 
haviour. The reduction boils down to inferring globally inert detailed steps. By abstracting them away a 
smaller representation of the detailed component is obtained. This representation contains all informa- 
tion about the constraints the detailed behaviour imposes on the global behaviour(s) of the component. 
The formal validation that the reduction, indeed, does not change the overall model behaviour is achieved 
via the process algebraic representation of the model: we show for our client-server example that the re- 
duced model is branching bisimilar to the original one, having the same properties. Furthermore, by 
means of a proper abstraction, in this case applied at the global level, we can observe directly from the 
model, by a direct comparison, in which way the global behaviour, and thus the collaboration, affects the 
components' detailed behaviour. In case no influence is to be expected, it is sufficient to show that the 
component model is equivalent, up to branching bisimulation, to the detailed behaviour after all global 
steps are abstracted away. 

As to the contribution of this paper, we have established a further connection of process algebra 
and its supporting apparatus to the domain of coordination. In particular, abstraction and equivalences, 
typical for process algebra, become techniques that can be applied to coordination models, via the estab- 
lished link of the Paradigm language and ACP, in our case. Thus, coordination can be initially modeled 
in the Paradigm language which offers compositional and hierarchical modeling flexibility. Then, model 
reduction can be applied, if appropriate. Finally, via its process representation the model can be formally 
analyzed. 

As future work we want to address the reduction of general Paradigm models and property guided 
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reduction, in particular in a situation with overlapping or orthogonal coordination. More specifically, it is 
interesting to study the notion of globally inert detailed steps for a component that participates in multiple 
collaborations. We plan to investigate whether other techniques from process algebraic analysis, e.g. 
iterated abstraction, and pattern-based simplifications can be beneficial for the modeling with Paradigm. 
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